Hey Steve, and thanks for your time.
You missed the point of my question a tiny bit, though. I figured out that in order to get my “owner” field to show up when using populate=* I need to enable “find” permission on the user role. That’s what got it working.
But that also exposed all the users in /api/users endpoint, which was an undesired side-effect. But I sort of got around that also by extending user-permissions by adding strapi-server.js and only returning an empty object from the endpoint there. More about it here:
Alan